[github/Chocobozzz/PeerTube.git] / server / controllers / api / users / two-factor.ts

import express from 'express'
import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
import { encrypt } from '@server/helpers/peertube-crypto'
import { CONFIG } from '@server/initializers/config'
import { Redis } from '@server/lib/redis'
import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
import {
  confirmTwoFactorValidator,
  disableTwoFactorValidator,
  requestOrConfirmTwoFactorValidator
} from '@server/middlewares/validators/two-factor'
import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'

const twoFactorRouter = express.Router()

twoFactorRouter.post('/:id/two-factor/request',
  authenticate,
  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
  asyncMiddleware(requestOrConfirmTwoFactorValidator),
  asyncMiddleware(requestTwoFactor)
)

twoFactorRouter.post('/:id/two-factor/confirm-request',
  authenticate,
  asyncMiddleware(requestOrConfirmTwoFactorValidator),
  confirmTwoFactorValidator,
  asyncMiddleware(confirmRequestTwoFactor)
)

twoFactorRouter.post('/:id/two-factor/disable',
  authenticate,
  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
  asyncMiddleware(disableTwoFactorValidator),
  asyncMiddleware(disableTwoFactor)
)

// ---------------------------------------------------------------------------

export {
  twoFactorRouter
}

// ---------------------------------------------------------------------------

async function requestTwoFactor (req: express.Request, res: express.Response) {
  const user = res.locals.user

  const { secret, uri } = generateOTPSecret(user.email)

  const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)

  return res.json({
    otpRequest: {
      requestToken,
      secret,
      uri
    }
  } as TwoFactorEnableResult)
}

async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
  const requestToken = req.body.requestToken
  const otpToken = req.body.otpToken
  const user = res.locals.user

  const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
  if (!encryptedSecret) {
    return res.fail({
      message: 'Invalid request token',
      status: HttpStatusCode.FORBIDDEN_403
    })
  }

  if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
    return res.fail({
      message: 'Invalid OTP token',
      status: HttpStatusCode.FORBIDDEN_403
    })
  }

  user.otpSecret = encryptedSecret
  await user.save()

  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
}

async function disableTwoFactor (req: express.Request, res: express.Response) {
  const user = res.locals.user

  user.otpSecret = null
  await user.save()

  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
}
Commit	Line	Data
56f47830 C	1	import express from 'express'
56f47830 C	2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
a3e5f804 C	3	import { encrypt } from '@server/helpers/peertube-crypto'
a3e5f804 C	4	import { CONFIG } from '@server/initializers/config'
56f47830	5	import { Redis } from '@server/lib/redis'
2166c058	6	import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
56f47830 C	7	import {
	8	confirmTwoFactorValidator,
	9	disableTwoFactorValidator,
	10	requestOrConfirmTwoFactorValidator
	11	} from '@server/middlewares/validators/two-factor'
	12	import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
	13
	14	const twoFactorRouter = express.Router()
	15
	16	twoFactorRouter.post('/:id/two-factor/request',
	17	authenticate,
2166c058	18	asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
56f47830 C	19	asyncMiddleware(requestOrConfirmTwoFactorValidator),
	20	asyncMiddleware(requestTwoFactor)
	21	)
	22
	23	twoFactorRouter.post('/:id/two-factor/confirm-request',
	24	authenticate,
	25	asyncMiddleware(requestOrConfirmTwoFactorValidator),
	26	confirmTwoFactorValidator,
	27	asyncMiddleware(confirmRequestTwoFactor)
	28	)
	29
	30	twoFactorRouter.post('/:id/two-factor/disable',
	31	authenticate,
2166c058	32	asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
56f47830 C	33	asyncMiddleware(disableTwoFactorValidator),
	34	asyncMiddleware(disableTwoFactor)
	35	)
	36
	37	// ---------------------------------------------------------------------------
	38
	39	export {
	40	twoFactorRouter
	41	}
	42
	43	// ---------------------------------------------------------------------------
	44
	45	async function requestTwoFactor (req: express.Request, res: express.Response) {
	46	const user = res.locals.user
	47
	48	const { secret, uri } = generateOTPSecret(user.email)
a3e5f804 C	49
	50	const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
	51	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
56f47830 C	52
	53	return res.json({
	54	otpRequest: {
	55	requestToken,
	56	secret,
	57	uri
	58	}
	59	} as TwoFactorEnableResult)
	60	}
	61
	62	async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
	63	const requestToken = req.body.requestToken
	64	const otpToken = req.body.otpToken
	65	const user = res.locals.user
	66
a3e5f804 C	67	const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
a3e5f804 C	68	if (!encryptedSecret) {
56f47830 C	69	return res.fail({
	70	message: 'Invalid request token',
	71	status: HttpStatusCode.FORBIDDEN_403
	72	})
	73	}
	74
a3e5f804	75	if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
56f47830 C	76	return res.fail({
	77	message: 'Invalid OTP token',
	78	status: HttpStatusCode.FORBIDDEN_403
	79	})
	80	}
	81
a3e5f804	82	user.otpSecret = encryptedSecret
56f47830 C	83	await user.save()
	84
	85	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
	86	}
	87
	88	async function disableTwoFactor (req: express.Request, res: express.Response) {
	89	const user = res.locals.user
	90
	91	user.otpSecret = null
	92	await user.save()
	93
	94	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
	95	}